Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linksys WiFi Gateway Remote Attack Risk Discovered

Posted by simoniker on from the over-the-ether dept.

Glenn Fleishman writes "According to InternetNews.com, a tech consultant discovered that even if you turn the remote administration feature off on a Linksys WRT54G -- the single bestselling Wi-Fi device in the world -- you can still remotely access it through ports 80 and 443. Linksys sets the HTTP username to nothing and password to 'admin' on all of its devices by default. Web site scanning from anywhere in the world to devices that have routable Internet-facing addresses would allow script kiddie remote access, at which point you could flash the unit with new firmware, extract the WEP or WPA key, or just mess up someone's configuration and change the password."

23 of 311 comments (clear)

  1. Only 'moderately' critical ? by Space+cowboy · · Score: 5, Insightful
    Security consultants Secunia rates the flaw as "moderately critical" and urged users to configure a strong password for the administrative Web interface or restrict access to the interface altogether.


    Whereas I (owning one of these boxes) rate the flaw as a combination of 'wide open', 'come and hack me, here I am', and 'criminally stupid'. What the [insert expletive] is the point of the 'turn off remote administration' option, if it doesn't turn off remote administration ??!!

    I always make sure I enter my own password into every system of mine that lets me. At least that way it's only ever *my* mistakes that will trip me up...

    Simon

    --
    Physicists get Hadrons!
    1. Re:Only 'moderately' critical ? by VC · · Score: 4, Informative

      Its not that bad... The thing is a linux box, with an admin password.

      If you did the right thing and changed you admin password, then what you've really got is a linux box on a wan, with a hard to guess password.

      Besides which, your running the Sweadish firmware anyway arn't you. :-)

      --
      Official GOD FAQ.
  2. Ummmmm....... by Dr+Reducto · · Score: 4, Funny

    I am grabbing my laptop right now and going to my newfound open access point!

  3. psst ... by nick-less · · Score: 5, Funny

    don't tell to my neighbour...

  4. All your gateways are belong to us by tedgyz · · Score: 4, Funny

    All your gateways are belong to us

    --
    "No matter where you go, there you are." -- Buckaroo Banzai
  5. Has nobody noticed these ports being wide open? by yebb · · Score: 4, Interesting

    Seems like a rather obvious issue, I'm suprised nobody noticed this before.

  6. How is this different from normal? by Gothmolly · · Score: 5, Insightful

    Since 70%+ of the wireless users on my block do not activate WEP, or change the default channel, or use a non-default SSID, I'm willing to bet that nobody went through the effort to manually deactivate the admin interface, or change the password. You could argue that that is merely a de facto flaw, while the listed vulnerability is de jure, but from a practical perspective, this is no less secure than everything was anyway.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:How is this different from normal? by ideatrack · · Score: 4, Insightful

      You could argue that, but seeing as there are decent sysadmins out there (no really) who will have turned this feature off, it's pretty severe. Admittedly if I had turned it off, then I'd check to see if that was actually the case, but it's very easy to just believe the interface. After all, they'll have checked it before shipping it, won't they? Won't they?

    2. Re:How is this different from normal? by mccalli · · Score: 5, Informative
      Unlike Netgear, Linksys routers have no way to stop broadcasting the SSID

      Mine does - I've got a "Wireless SSID Broadcast: Enable/Disable" option on the Wireless page. I'm running firmware 2.02.2

      Cheers,
      Ian

  7. things like this... by fabs64 · · Score: 5, Insightful
    honestly these sort of completely blatant and downright dangerous security holes in software i think should pave the way for making developers culpable for damages incurred by defects in their software.

    I mean honestly, if a Surgeon said that they sewed up a hole in your stomach but really didn't they would be considered criminally negligent wouldn't they? How is a company allowed to release something as obviously dangerous as this to the public without having some sort of liability?

    1. Re:things like this... by gclef · · Score: 5, Insightful

      There's a concept called "fitness for purpose" that I think applies here. If you used bicycle tires on a car, for whatever reason (price being an obvious one), if you then got hurt in your car, you'd have no one to blame but yourself. Bike tires aren't fit for use on a car.

      By the same logic, if you used a cheap, home-user piece of crap for a life-critical operation, you deserve to be sued into oblivion, since it wasn't designed for something critical. Personal firewalls like this Linksys thing are not suited for life-critical use, and everyone who knows what the hell they're doing should realize that.

      If you use a piece of software that is sold as "fit for this purpose" (like, using windows-embedded health monitoring devices) and it fails due to a poor design, then you're right on...the vendor of that device should be sued.

  8. 2 points by millahtime · · Score: 4, Informative

    1) 90% of the people that buy these are your basic at home user. They don't ever change the default settings. It's just a setup and go. There are 5 such ones in my apartment alone in range of my apartment

    2) 99% of people aren't going to update the firmware when it comes out so this bug will be floating around for some time.

    The average joe 6 pack needs to be forced to use the security with it. If you give it as an option then it many times will be ignored. Security needs to be made part of the setup and updates need to be easy to install.

    --
    Evolution or ID?
  9. port fowarding by Anonymous Coward · · Score: 4, Interesting

    What happens if you are fowarding port 80 to an internal box? Thats what I currently do. If i access my external ip I get my webpage, I can only get my routers admin page by using its internal IP.

    1. Re:port fowarding by mccalli · · Score: 5, Informative
      What happens if you are fowarding port 80 to an internal box?

      From the article:

      "As a workaround until a firmware upgrade is issued, Rateliff recommends the use of port forwarding send ports 80 and 443 to non-existent hosts. "Note that forwarding the ports to any hosts -- including listening ones if you are actually running servers -- will override the default behavior," he explained."

      So you're ok. As am I, or at least as I will be after I've just finished forwarding 443...

      Cheers,
      Ian

  10. The reason the risk is "moderate" is... by Ath · · Score: 4, Insightful

    1) This problem is specific to one version of firmware. I can guarantee it has not been there in many of the versions I have used. 2) It only affects units that have not had their default password changed. I agree it is a security risk but it should be kept in perspective. If a user does not change the password, that is not a design problem of the firmware. The only real problem is that the function to turn off remote administration on the WAN port stopped working in the specific release of firmware. The article does not mention which version of firmware this guy was using, so we cannot confirm it. I personally use a modified version of the Linksys firmware, of which there are now quite a few.

    1. Re:The reason the risk is "moderate" is... by Ath · · Score: 4, Informative
      This problem is specific to one version of firmware.

      I should correct this because some people with the 2.02.07 version that this guy claimed to be using are reporting they cannot reproduce the problem.

      This could be basic user error. By the way, the remote admin function is disabled by default in the WRT54G firmware.

      What gets me is that if you want to bitch about the WRT54G firmware, there are plenty of better reasons than this apparently bogus one. Only the hacked firmwares really make this hardware shine (and have all functions plus new ones work properly).

  11. Bugtraq submission by mrgrey · · Score: 5, Informative


    Manufacturer: LinkSys (a division of Cisco)
    Product: Wireless-G Broadband Router
    Model: WRT54G
    Product Page:
    http://www.linksys.com/products/product.asp ?grid=3 3&scid=35&prid=601
    Firmware tested: v2.02.7

    In a recent client installation I discovered that even if the remote
    administration function is turned off, the WRT54G provides the
    administration web page to ports 80 and 443 on the WAN. The implications
    are obvious: out of the box the unit gives full access to its administration
    from the WAN using the default or, if the user even bothered to change it,
    an easily guessed password.

    I reported this to LinkSys (along with a number of other non-security
    related issues) on April 28. I received no reponse addressing this, and no
    updated firmware has yet appeared on their firmware page
    http://www.linksys.com/download/firmware.asp ?fwid= 201

    To work around this, you can use the port forwarding (irritatingly renamed
    to Games and whatever) to send ports 80 and 443 to non-existant hosts. Note
    that forwarding the ports to any hosts -- inluding listening ones if you are
    actually running servers -- will override the default behavior.

    On a personal note, there are a number of reasons for which I am thoroughly
    disappointed with LinkSys since the acquisition by Cisco. For the sake of
    what was once a rock-solid product and great brand name, I hope things
    change soon.

    --
    Alan W. Rateliff, II : RATELIFF.NET
    Independent Technology Consultant : alan2@rateliff.net
    (Office) 850/350-0260 : (Mobile) 850/559-0100

    [System Administration][IT Consulting][Computer Sales/Repair]

    --
    -Tolerate my intolerance
  12. Well... by Rican · · Score: 5, Funny

    ...anyone dumb enough to leave the router with the default password deserves to be h4x0red. I assume that by now pretty much anyone that owns a computer knows the need to create their own password not only for their PC but other devices/peripherals.

    Although, I tried changing mine to "penis" and it returned a message saying: "Password is too small."

    Go figure...

    --
    Rican

    Want a free iPod?

  13. What if some script kiddie meshed them all? by Baldrson · · Score: 4, Interesting
    The 32M RAM version of the WRT54G has enough capacity to run the current release of MeshAP. The problem is booting it off of the 8M of flash that is available on the WRT54G. You could overcome this by incrementally reflashing them to boot from the mesh itself. This would fix the security hole too.

    Understand, I'm not advocating any kids actually do this -- its just a fun, if slightly whacked, idea.

    --
    Seastead this.
  14. Additional info on WRT54G administration page by alanxyzzy · · Score: 5, Informative
    This BUGTRAQ article has some interesting observations made by the original reporter of this vulnerability.
    I have made the effort to grab three additional units, all v2 hardware, off-the-shelf, and here is what I have found: Two of three units came with the firewall enabled, while one of the three came with it disabled. The packaging leaves no evidence as to whether any of these items were previously opened and returned.

    Interestingly, all three units from local resalers came with v2.02.2 firmware, while the second unit from CDW I tested in March came with v2.02.7. BOTH of the units which came off-the-shelf with v2.02.7 behaved as previously described in my original notice; I do not have records of the firewall setting of the units from March, although they both did behave as predicted after a factory reset.

    I would like to assume that the one-of-three v2.02.2 firmware units which came with the firewall disabled was an anomoly, and possibly a customer return. Nicely, flashing these units to v2.02.7 retains all settings, including the firewall status.

    Now the catch. In v2.02.7 with the firewall disabled and remote admin turned off, the admin page becomes available on ports 80 and 443 on the WAN. This works whether the unit is in DHCP or PPPoE mode.

    Port State Service
    80/tcp open http
    443/tcp open https
    Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20

    So part of the original notice is valid, with the exceptions noted. I don't have any more v2.02.2 units to test as they have all now been flashed with v2.02.7, I have no more unmolested v2.02.7, and I am out of petty funds to purchase more :)

    So, I will eat some crow on the original notice. To sum up, the admin page is most definitely available to the WAN if the firewall is disabled, regardless of the remote admin setting. And at best the potential for getting a unit off-the-shelf with this behavior is somewhat like an Easter egg hunt. I have received an even mix of responses positive and negative to the original notice, so others are reproducing this OTS.

    Some thoughts...

    It could be resonable that units which come v2.02.2 OTS then flash to v2.02.7 may not experience this behavior due to stored factory settings from original v2.02.2 system carried over to v2.02.7. That would explain the exception of the OTS behavior of the v2.02.7 units received in March.

    Now I am also aware that other LinkSys items I have received have come with firmwares not yet available on the website -- most recent example, a WPS54GU2 which came with firmware 6032 while only 6031 was available on the website. It may be more reasonable that since the firmware v2.02.7 is dated March 17, my order for the WRT54G was placed on March 23, maybe a pre-release of the firmware? I cannot imagine that there would be such a diverse distribution of this product direct from LinkSys?

  15. There are backdoored firmware available. by acz · · Score: 5, Informative

    Most of slashdot readers already know that there are a bunch of modified firmwares for the wrt54g such as this one. You should also be aware to realise that they are already backdoored/rootkit version (custom version of teso's adore of the wrt54g which will hide specific clients, processes, mac address and connections. It should also be noted that vulnerable linksys access point are trivial to detect using kismet (runs on linux, *bsd, zaurus, wrt54g) or kismac (runs on Mac OS X).

  16. Serial number as username and password? by Pascal+Sartoretti · · Score: 5, Insightful

    A basic problem with factory settings are the well-known usernames and passwords. Why not simply set them to the device's serial number?

  17. not not .... well sorta by Merlin42 · · Score: 4, Informative

    Actually I was able to reproduce the 'problem' It is not mentioned in the article, but you can access the admin page from the WAN port if 'firewall protection' is disabled.

    In hind sight this sort of makes sense ... although it is NOT at all obvious at first glance.

    In any case I wouldn't consider this to be a HUGE problem since 'firewall protection' is on by default and 'Joe 6pack' is unlikely to turn it off since the general perception amoung nongeeks (at least in my experience) is that Firewalls are magical good things that block bad stuff (for varying definitions of bad).

    --
    Thoughts on tech, Software Engineering, and stuff